Skip to main content

Azure DevOps Cloud

Overview

Checkmarx One supports Azure DevOps integration, enabling automated scanning of your Azure DevOps projects whenever the code is updated. Checkmarx One’s Azure DevOps integration listens for Azure DevOps commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in Checkmarx One.

In addition, for pull requests, a comment is created in Azure DevOps, which includes a scan summary, list of vulnerabilities and a link to view the scan results in Checkmarx One.

Notice

  • This integration supports both public and private git based repos.

  • Checkmarx One does not support integration with Team Foundation Version Control (TFVC) based repos using the UI.

  • Team Foundation Version Control (TFVC) based repos are only supported by using Checkmarx One Azure DevOps Plugin.

The integration is done on a per project basis, with a specific Checkmarx One Project corresponding to a specific Azure DevOps repo.

Notice

You can select several repos to create multiple integrations in a bulk action.

Prerequisites

  • The source code for your project is hosted on a Azure DevOps repo.

  • You have a Checkmarx One account and have credentials to log in to your account.

    Important

    The user must have create-project permission.

  • The Azure DevOps user has admin privileges for this repo, see Code Repository Integrations.

  • Verify that in the Azure DevOps Organization settings under Organization Settings → Policies →Third-Party application access via OAuth” is enabled - For additional assistance use the following link: Azure DevOps connection and security policies.

    For example:

    6297288859.png

Setting up the Integration and Initiating a Scan

To integrate your Azure DevOps organization with Checkmarx One, perform the following:

  1. In the Applications and Projects home page, click on New > New Project - Code Repository Integration.

    Code_Repo_Integration.png

    The Import From window opens.

    Image_946.png
  2. Select Azure.

    Azure_DevOps_Select.png
  3. Sign in to Azure DevOps account.

  4. Approve the Checkmarx One request to access the Azure DevOps account by clicking Accept.

    6427476030.png
  5. Select the Azure DevOps Organization or Group (for the requested repository) and click Select Organization.

    Azure_DevOps_Select_Org.png
  6. Select the Repository inside the Azure DevOps organization and click Next.

    Note

    • A separate Checkmarx One Project will be created for each repo that you import.

    • There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.

    Azure_DevOps_Select_Repo.png
  7. In the Repositories Settings screen, perform the following and click Next.

    • Permissions:

      • Scan Trigger: Push, Pull request - Enable/disable automatic scans for every push event or pull request.

    • Scanners: Select the scanners for All/Specific repositories. At lease 1 scanner must be selected for each repository.

    • Protected Branches: Select which Protected Branches to scan for each repository.

      Note

      For additional information about Protected Branches see About Protected Branches

    • Add SSH key.

    • Assign Groups: Specify the Groups to which you would like to assign the project.

    • Assign Tags: Add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.

    • Set Criticality Level: Manually set the project criticality level.

      Azure_DevOps_Repo_Settings.png

    Note

    If multiple repositories are selected, an additional configuration option will appear at the top of the wizard for applying settings to all selected repositories. Configure the necessary parameters, then scroll down on the right-side panel and click Apply to all.

    For example:

    All_Repo_Settings.png
  8. Select which Protected Branches to scan for each Repository and click Next.

    Note

    For additional information about Protected Branches see About Protected Branches

    Azure_DevOps_Select_Branches.png
  9. In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project.

    Click Create Project.

    Azure_DevOps_Advanced_Options.png
  10. The Project is successfully added to the Applications and Projects home page.

    Note

    In order to update the scanners see Imported Project Settings

    Azure_DevOps_Scan_Initiated.png

Update Project Settings

See Imported Project Settings.